Views
5 years ago

April 10, 2011 Salzburg, Austria - WOMBAT project

April 10, 2011 Salzburg, Austria - WOMBAT project

Figure 5: AES Error

Figure 5: AES Error Reporting error in the experiment, a configuration error in the virtual machine, something specific about the object of the experiment (a particular malware sample or exploit), an error in the host (configuration error in VMware), etc. To help us discriminate between these various situations, and identify the source of the error more quickly, we developed another web-based application to visualize these various errors. Figure 5 shows error visualization for our static malware analysis experiment set. Most of them are due to scanning taking longer than expected. When an error is raised, a screenshot of the actor of the step causing the error is taken. For instance, Figure 5 shows a list of experiment errors that we obtained with several anti-virus. In these cases, our AutoIt scripts were responsible for the errors. 3.4.4 Desktop Viewers To visualize the display of each experiment coordinator and virtual machines, we use VMware Infrastructure Client 20 and an open source VNC client called VNC Thumbnail Viewer 21 , respectively shown in Figure 6 and Figure 7. The VMware client allows us to see the display of all virtual machines, regardless or whether they are in an isolated network or not. We use the VNC client for seeing and controlling the experiment coordinators. Also, with the latest version VMware Workstation, one can connect to any virtual machine through VNC. Since this feature does not rely on a VNC server being installed inside the virtual machine, but is rather managed directly by VMware Workstation, this feature enables the remote visualization of all virtual machines, even those located in an isolated network. 20 www.vmware.com/products/vsphere/ 21 thetechnologyteacher.wordpress.com/ vncthumbnailviewer/ 7 23 Figure 6: VMware Infrastructure Client Experiment Viewer 4. THE CYBER OBSERVATORY IN ACTION Figure 8 presents the Cyber Observatory. First, we automatically gather new cyber threats on a daily basis using our Web Crawler, honeypot networks and commercial/academic feeds. The VLab images are manually updated/created based on the requirements of the experiments. Second, the information about cyber threats, VLab images and analysis results from previous experimentations are used to generate the experiments that will be conducted by the AES. Since 2005, we have used the AES within our Cyber Observatory to perform various types of experimentations. Some are continuously running everyday (e.g., experiments presented in Section 4.2, 4.6 and 4.7) to provide insightful information on old, current and new cyber threats and some others were punctual experimentations (e.g., experiments presented in Section 4.1, 4.3, 4.4 and 4.5). Third, the AES conducts these experiments and the results are analyzed by BEAVER analysis module. Finally, the analysis results are stored in a database that can be accessed through a web portal. In this section, we described seven of these experimentations. For scientific conclusions drawn from each experimentation, we refer the reader to the bibliographic references provided in each sub-section. 4.1 Operating System Fingerprinting We initiated our work in experimental cyber security while doing research on Operating System Fingerprinting [6]. To pursue this project, we needed traffic traces recorded during the execution of several fingerprinting tools against many different operating systems. We created nearly 200 Target images with different operating system versions, which constituted the very first version of the VLab. However, as we had not yet foreseen the long-term need for automation, the execution of the various fingerprinting tools and recording of the traffic traces required manual intervention. It quickly became clear that automation was required for conducting such as large experiment. 4.2 Intrusion Detection System Evaluation

Figure 7: VNC Thumbnail Experiment Viewer Our experience with Operating System Fingerprinting inspired us to develop the Automated Experimentation System (AES). The first time we used it was to produce an Intrusion Detection System (IDS) evaluation data set [14]. Our goal was to mitigate some known issues of other IDS evaluation data sets [16]. The generated data set is composed of traffic traces recorded during the execution of about 150 server-side exploit programs against more than 120 target systems. 22 The generation of this dataset demonstrated the scalability of the AES, as we used it to conduct more than 18000 experiments (one for each pair of target-exploit program, plus a few more for the various optional commandline arguments of each exploit). Although the generated data set was best suited for evaluating signature-based IDSs, it addresses some of the problems described in [16]. Later, we generated other IDS evaluation data sets that included IDS evasion techniques [14] and client-side exploit programs. 4.3 Server-Side Software Discovery It has often been claimed that using network context information can improve IDS accuracy by discarding attacks that are unlikely to have succeeded. This approach relies on the knowledge of the target system configuration (e.g., name and version of the various software installed on it) and vulnerability databases (e.g., SecurityFocus) to determine whether or not the target system is indeed vulnerable to an attack. Although several authors proposed to use network context information in IDS signatures [5, 18], we observed that nobody had systematically assessed the effectiveness of this approach. We believe that the cumbersomeness of manually performing the numerous required test cases is the reason 22 We did not program the AES to interact with all the virtual machine images (i.e., the different virtualization technologies) used in the operating system fingerprinting experiment. 8 24 Internet Web Portal Cyber Threat Analysis Database Analysis BEAVER Web Crawler/ Honeypot/ Feeds OS/Applications Download and Update Security Products Download and Update Automated Experimentation System VLab Cyber Threats Database Experiment Generation Experiment Repository A. OS Fingerprinting C. Server-Side Software Discovery E. Attack Verification Rule Generation Figure 8: Cyber Observatory G. Static Malware Analysis B. IDS Evaluation D. Honeypot Script Generation F. Dynamic Malware Analysis why no one had done it before. The AES, together with our work on operating system fingerprinting and IDS evaluation, placed us in an ideal position to perform this assessment [11]. First, we used the intrusion detection data set described in the previous section together with existing vulnerability databases to assess the effectiveness of the network context information approach in an ideal world, i.e., one where the target system configuration is already known. Secondly, we used the AES to generate a new network context information discovery data set in order to determine how effective the approach is when the target system configuration is not already known. Among other things, this new data set contained the updated operating system fingerprinting test cases of the data set presented in [6]. These new traffic traces were generated by the AES, using 15 coordinators, without human intervention within a matter of days. 4.4 Honeypot Script Generation In a collaboration with Leita et al. at the Eurecom Institute [13], the AES was used to contribute to the improvement of a honeypot technology called ScriptGEN. What distinguishes ScriptGEN from other honeypot technologies is its ability to adapt to 0-day vulnerability exploitation techniques by automatically generating vulnerability emulation scripts from recorded attack attempts. The recorded attack attempts are replayed against a vulnerable system, and appropriate emulation scripts are generated based on the vulnerable system reaction. This allows the ScriptGEN platform to capture new self-propagating malware without human intervention. In order to facilitate the development of the ScriptGEN algorithms, the AES was used to record about a hundred different execution instances for several exploit programs. Randomness was incorporated into each execution so that even if the target system was always at the same initial state, attack instances actually differed from each other. The traffic

D06 (D3.1) Infrastructure Design - WOMBAT project
6-9 December 2012, Salzburg, Austria Social Programme
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
D I P L O M A R B E I T - Salzburg Research
ECCMID meeting Vienna, Austria 10-13 April 2010 - European ...
Communication Plan for EGU 2011 April 3-8, 2011, Vienna, Austria
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
8th Liquid Matter Conference September 6-10, 2011 Wien, Austria ...
April 10, 2011 - University of Cambridge
Top 10 Project Management Trends for 2011 from ESI International